Closed
Description
Hi
The following was reported downstream in Debian in https://bugs.debian.org/875966
The reproducer (compressed with gzip), base64 oob.iso.gz is
H4sIAAAAAAACA+3WsQmAQAwF0NwqTvCtHED3X0mbaxQEwUa897o0v0lCkgAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAbd2SudXbnOqWS33nSeZ0Stcr/rBwBnlwBV+x9/sPAIzDOw4AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJAVTyAwTg/wAA
tested against 5562545
ASAN_OPTIONS="detect_leaks=0" ./bsdtar -xOf ~/oob.iso
=================================================================
==13912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x5644c43511e9 bp 0x7ffc1fbd20d0 sp 0x7ffc1fbd20c8
READ of size 1 at 0x631000024800 thread T0
#0 0x5644c43511e8 in parse_file_info libarchive/archive_read_support_format_iso9660.c:1767
#1 0x5644c434c76f in choose_volume libarchive/archive_read_support_format_iso9660.c:1115
#2 0x5644c434cdeb in archive_read_format_iso9660_read_header libarchive/archive_read_support_format_iso9660.c:1181
#3 0x5644c4304d61 in _archive_read_next_header2 libarchive/archive_read.c:648
#4 0x5644c430502f in _archive_read_next_header libarchive/archive_read.c:686
#5 0x5644c43c938f in archive_read_next_header libarchive/archive_virtual.c:148
#6 0x5644c42e0110 in read_archive tar/read.c:260
#7 0x5644c42df303 in tar_mode_x tar/read.c:112
#8 0x5644c42dc62d in main tar/bsdtar.c:866
#9 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#10 0x5644c42d7f79 in _start (/root/libarchive/bsdtar+0x3ff79)
0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
#0 0x7f3108af8b70 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9b70)
#1 0x5644c431926e in file_open libarchive/archive_read_open_filename.c:358
#2 0x5644c4303da8 in archive_read_open1 libarchive/archive_read.c:480
#3 0x5644c43186ba in archive_read_open_filenames libarchive/archive_read_open_filename.c:152
#4 0x5644c43182ae in archive_read_open_filename libarchive/archive_read_open_filename.c:109
#5 0x5644c42dfed2 in read_archive tar/read.c:222
#6 0x5644c42df303 in tar_mode_x tar/read.c:112
#7 0x5644c42dc62d in main tar/bsdtar.c:866
#8 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-buffer-overflow libarchive/archive_read_support_format_iso9660.c:1767 in parse_file_info
Shadow bytes around the buggy address:
0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13912==ABORTING
Metadata
Metadata
Assignees
Labels
No labels